Adobe zero-day used in watering hole attack against Syrian dissidents

Pierluigi Paganini April 29, 2014

Adobe has just released a security updates for Flash Player to fix critical vulnerabilities that are being exploited by hackers to track Syrian dissidents.

Adobe has just released security updates for Flash Player to fix critical vulnerabilities that are being exploited in a series of cyber attacks targeting Syrian dissidents complaining about the government.

Early April experts at Kaspersky Lab discovered a couple of new zero-day exploits in the wild based on the vulnerability coded as CVE-2014-0515. The flaw affected the Flash Player Pixel Bender component, no longer supported by Adobe, used for video and image processing.

The attackers conducted a watering hole attack serving both exploits from a site (http://jpic.gov.sy/) created by the Syrian Ministry of Justice to provide an online forum for citizens to complain about law and order violations. The website was compromised last September 2013 and the attacker announced the hack through his twitter account.

Adobe watering hole attack twitter hack

“According to KSN data, these exploits were stored as movie.swf and include.swf at an infected site. The only difference between the two pieces of malware is their shellcodes. It should be noted that the second exploit (include.swf) wasn’t detected using the same heuristic signature as the first, because it contained a unique shellcode. Each exploit comes as an unpacked flash video file. The Action Script code inside was neither obfuscated nor encrypted.” reported the post published on SecureList.

Adobe watering hole attack

The versions of Adobe Flash Player affected by the vulnerability include:

  • Adobe Flash Player 13.0.0.182 and earlier versions for Windows
  • Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.350 and earlier versions for Linux

“We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer.”

The links used by the attackers appear like

http://jpic.gov.sy/css/images/_css/***********

probably the attackers created a folder where they loaded the exploits to redirect the victims using a frame or a script located at the site.

“To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox.” “Although we’ve only seen a limited number attempts to exploit this vulnerability, we’re strongly recommending users to update their versions of Adobe Flash Player software,” “It is possible that once information about this vulnerability becomes known, criminals would try to reproduce these new exploits or somehow get the existing variants and use it in other attacks. Even with a patch available, cybercriminals would expect to profit from this vulnerability because a worldwide update of software as widely used as Flash Player will take some time. Unfortunately this vulnerability will be dangerous for a while.” states the post.

The attacks that exploited the flaw in Adobe Player product are probably the result of a carefully planned operation made by high skilled hackers who have had access to 0-day exploits. The attackers used the exploits on a simple website to conduct a surgical operation avoiding to be detected.

Pierluigi Paganini

(Security Affairs –  Watering hole, Adobe)



you might also like

leave a comment